[opensource] Peristent ResNET Login

Brian Swaney swaneybr at opensource.osu.edu
Fri May 13 08:47:16 EDT 2011


On 05/13/2011 12:12 AM, friedly.1 at osu.edu wrote:
> I'd suggest just adding it to a bootup script and it will log you in
> on startup and keep you logged in.
Assuming people take your advice and run your script at startup, let's
take some things into consideration. Looking over your code, it appears
you're checking for the first HTTPS link in the page that says you're
being redirected. What happens if you take your laptop to some open Wifi
spot at a restaurant or something? What happens if an arbitrary
restaurant, or worse some open/piggybacked wireless access point,
decides to use a similar-looking captive portal (not even necessarily
Cisco Clean Access)? What if I decide to run a network called "Free
internet" that redirects you to
https://osu.mybadsite.com/resnetloginform the first time you connect?
What happens if one of us goes to DefCon with this script sitting in our
rc.local? Hell, I could break it with just go.osu.edu/udt . Are you
going to want to automatically hand your OSU username/password to any
arbitrary network as soon as you connect?

May I suggest actually verifying that the target address is
https://SOMETHING.resnet.ohio-state.edu instead of just
https://SOMETHING, and then (if Python doesn't already do this) VALIDATE
the certificate (CA is currently Internet2, so reject anything else)?
Also worth checking, I believe every ResNet IP address starts with
164.107, and with the exception of the medical center most places on
campus do not use NAT, so you should probably not hand out your
credentials if you get an address of 192.168.1.XXX, although that
probably won't make you much safer from a dedicated hacker.

ResNet has most definitely fallen into a gutter as of late, and I (like
most of its users) can certainly appreciate some automation. I'd love to
see something like this out there working against Student Life IT's
attitude of "if we make it less convenient for users then we'll
magically make things safer because security and convenience is always a
1:1 tradeoff". As it stands now, you invariably end up having to sign in
every couple hours (used to be about a week), with your SSH connections,
online homework assignments, games, and everything else imaginable
getting interrupted at inopportune times. However, the way this script
works really puts people at risk of bad things happening. Keeping in
mind that you're dealing with sensitive information (plaintext
passwords), you should really take better care to protect them, like by
only transmitting them when you're damn sure it's ResNet that the user
is connected to and not some other ISP.

> conn = urllib.urlopen("http://www.xkcd.com/404")

I know XKCD gets plenty of hits now, and deals with them fairly well,
but just as a courtesy to them, shouldn't we point our every-5-second
requests somewhere else so we're not needlessly flooding an innocent
third party? Perhaps http://resnet.osu.edu/RANDOM_STRING would be a
better fit here.

Brian Swaney
Open Source Club at
Ohio State University
Website Administrator

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
Url : http://mail.cse.ohio-state.edu/pipermail/opensource/attachments/20110513/23af575f/signature.bin


More information about the Opensource mailing list